000032607 - RSA Security Analytics Historical graph showing "No chart data available" for selected time range

Document created by RSA Customer Support Employee on Jun 30, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000032607
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Health & Wellness, Security Analytics UI
RSA Version/Condition: 10.4.x, 10.5.x
 
IssueWhen navigating to Health & Wellness -> System Stats Browser -> Historical graph, it is not showing values for some statistics such as Meta Rate (Current), Meta Rate (maximum), Session Rate(Current), Session Rate (maximum) and Sessions Behind.
User-added image
User-added image
CauseLong Host Name being more than 64 Characters for Decoder Source in Concentrator.
Stats are arriving from collectd of the Concentrator into SMS but due to the long host name, the message is not being handled by SMS correctly.
For example, on the Security Analytics server, the decoder source is stored as "concentrator_devices.192.168.x.x:56004" under /var/lib/netwitness/collectd/rrd/UUID
User-added image
If the user replaces the IP address with its Decoder hostname, it becomes 64 Characters long such as "concentrator_devices.rsa_longer_decoder_hostname:56004".
64 Characters is the limit for a complete property name.
 
ResolutionA feature enhancement request has been submitted to support longer hostnames that exceed 63 Characters in the System Monitoring Service (SMS).
Workaround
  1. Connect to the Concentrator via SSH as the root user.
  2. Replace each occurrence of the Source Decoder hostname with IP Address in NwConcentrator.cfg file, as shown in the example below.
    Source Decoder hostname : rsa_longer_source_decoder_hostname
    IP : 192.168.10.10
     
    # cd /etc/netwitness/ng/
    # cp NwConcentrator.cfg NwConcentrator.cfg.bak
    # vi NwConcentrator.cfg

    Press colon (:) and enter the line below, which changes.line, It changes only whole words exactly matching hostname to IP address.  After confirming the command, you can save the file and exit by typing :wq!
    %s/\<rsa_longer_source_decoder_hostname\>/192.168.10.10/gc

  3. Restart the Concentrator service by going to Administration -> Services -> Concentrator -> System, stopping aggregation, and then clicking on Shutdown Service.
  4. Connect to the Security Analytics Server via SSH as the root user and issue the following commands:
    # service rsa-sms stop
    # service rsa-sms start
    # stop jettysrv
    # start jettysrv

Attachments

    Outcomes